Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

How to prevent secrets from being exported as an artifact?

Tim Chaffin February 27, 2023

We've found an issue with Bitbucket cloud, where any user with write permissions has the ability to export the runtime secrets, including workspace / repository / deployment secrets, to an artifact. Like so:

1. A user with write access creates a new branch from the main branch.

2. That user then modifies the bitbucket-pipelines.yml file, and adds a step similar to this:

...
steps:
- printenv | tee output.txt
...

artifacts:
paths:
output.txt

3. Then that user can push the changes, and within that branch execute the step, and download the artifact, revealing all of the secrets.

How do you prevent this kind of leakage?

1 answer

0 votes
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 1, 2023

Hi Tim,

We mention this in our documentation here:

Workspace variables can be accessed by all users with write permission for any repository (private or public) that belongs to the team or account.

 

Pipelines variables added at the repository level can be used by any user who has write access in the repository.

 

There is no way to prevent this for workspace and repository variables. However, it is possible to restrict access to deployment variables to admins only:

  • Open the page of a repo on Bitbucket Cloud website and go to Repository settings > Deployments
  • For every deployment environment, there is an option Only allow admins to deploy to this environment.

If your workspace is on the Premium plan, you can enable this option for certain or all deployment environments. If someone who is not an admin triggers a pipeline to an environment that has this feature enabled, the build will get paused.

An admin of the repo can resume a paused build or do nothing. Selecting the cog icon from the following screenshot in the paused build, will show you the yml file for the commit/branch that triggered the pipeline:

Screenshot 2023-03-01 at 11.30.23.png 

Kind regards,
Theodora

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events